Solved: Re: ACS Replications ports

g.careaga · ‎09-29-2008

Hello all, I have two ACS 3.3, and I am trying to replicate them but it is not working. The topology is something like this:

ACS1<->PIX525<->RouterTelmex-----Internet-----RouterTelmex<->ASA5540<->ACS2

I test a lot of things, and I suppose that the problem is in ASA5540. So the question is: does anyone know which ports should be opened in ASA5540 to allow the replication ? I know that there must be opened port 2000, but I think that there must be some ports more.

Thanks a lot.

Gabriel

ajagadee · ‎09-29-2008

Hello Gabriel,

My understanding is, you need only port 2000 to be opened for ACS Replication.

BTW, Do you have skinny inspection enabled on the ASA. ACS replication runs over port 2000 which also happens to be the same port as the Skinny protocol. Make sure that he Skinny inspection on both firewalls is turned off and see if you can get replication.

no fixup protocol skinny 2000

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

View solution in original post

ajagadee · ‎09-29-2008

Hello Gabriel,

My understanding is, you need only port 2000 to be opened for ACS Replication.

BTW, Do you have skinny inspection enabled on the ASA. ACS replication runs over port 2000 which also happens to be the same port as the Skinny protocol. Make sure that he Skinny inspection on both firewalls is turned off and see if you can get replication.

no fixup protocol skinny 2000

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

tahequivoice · ‎10-01-2008

Do not NAT the servers!!! The reason is if you nat a server private>public---public>private, it will fail replication. The shared secret is encrypted using the IP of the server, the receiving server decrypts it using the IP of the received packet, hence shared secret mismatch. If you can setup an IPSEC tunnel between sites so the servers communicate using their IP address, not a natted address, then you should be able to replicate OK. Been there, done that, broke them both in the process! :)

g.careaga · ‎10-01-2008

Hello, Tahequivoice !

I have to apologize, because now I realize that I mentioned the toplogy bad.

The topology is not using Internet, in stead of it we are using an MPLS link via Telmex.

ACS1<->PIX525<->RouterTelmex-----MPLS Backbone-----RouterTelmex<->ASA5540<->ACS2

I realize about it when you told me not to nat the addresses !!! I'sorry. But the way do I have to check what you mentioned anyway ?

tahequivoice · ‎10-01-2008

First, have you verified connectivity? There is a patch out that allows PING depending on the version(if an appliance). Since you are going through firewalls, open up the IP at both ends so ACS A IP to ACS B IP and viseversa. If you can ping both ways, make sure you setup replication correctly, the master to send only, the slave to receive ONLY, and that they are send and receiving the same items. Also do not replicate the distribution table, trust me on this, if you are not proxying, do not send that table to the slave, 3 weeks working with Cisco to fix the servers after replicating that one table was a bad thing.

If the above is correct, check the logs at both ends.